Search in sources :

Example 36 with UnauthorizedException

use of co.cask.cdap.security.spi.authorization.UnauthorizedException in project cdap by caskdata.

the class InMemoryAuthorizer method enforce.

@Override
public void enforce(EntityId entity, Principal principal, Set<Action> actions) throws UnauthorizedException {
    // super users do not have any enforcement
    if (superUsers.contains(principal) || superUsers.contains(allSuperUsers)) {
        return;
    }
    // actions allowed for this principal
    Set<Action> allowed = getActions(entity, principal);
    if (allowed.containsAll(actions)) {
        return;
    }
    Set<Action> allowedForRoles = new HashSet<>();
    // actions allowed for any of the roles to which this principal belongs if its not a role
    if (principal.getType() != Principal.PrincipalType.ROLE) {
        for (Role role : getRoles(principal)) {
            allowedForRoles.addAll(getActions(entity, role));
        }
    }
    if (!allowedForRoles.containsAll(actions)) {
        throw new UnauthorizedException(principal, Sets.difference(actions, allowed), entity);
    }
}
Also used : Role(co.cask.cdap.proto.security.Role) Action(co.cask.cdap.proto.security.Action) UnauthorizedException(co.cask.cdap.security.spi.authorization.UnauthorizedException) HashSet(java.util.HashSet)

Example 37 with UnauthorizedException

use of co.cask.cdap.security.spi.authorization.UnauthorizedException in project cdap by caskdata.

the class DefaultAuthorizationEnforcerTest method testPropagationDisabled.

@Test
public void testPropagationDisabled() throws Exception {
    CConfiguration cConfCopy = CConfiguration.copy(CCONF);
    try (AuthorizerInstantiator authorizerInstantiator = new AuthorizerInstantiator(cConfCopy, AUTH_CONTEXT_FACTORY)) {
        DefaultAuthorizationEnforcer authorizationEnforcer = new DefaultAuthorizationEnforcer(cConfCopy, authorizerInstantiator);
        authorizerInstantiator.get().grant(Authorizable.fromEntityId(NS), ALICE, ImmutableSet.of(Action.ADMIN));
        authorizationEnforcer.enforce(NS, ALICE, Action.ADMIN);
        try {
            authorizationEnforcer.enforce(APP, ALICE, Action.ADMIN);
            Assert.fail("Alice should not have ADMIN privilege on the APP.");
        } catch (UnauthorizedException ignored) {
        // expected
        }
    }
}
Also used : UnauthorizedException(co.cask.cdap.security.spi.authorization.UnauthorizedException) CConfiguration(co.cask.cdap.common.conf.CConfiguration) Test(org.junit.Test)

Example 38 with UnauthorizedException

use of co.cask.cdap.security.spi.authorization.UnauthorizedException in project cdap by caskdata.

the class DefaultAuthorizationEnforcerTest method testAuthEnforce.

@Test
public void testAuthEnforce() throws Exception {
    try (AuthorizerInstantiator authorizerInstantiator = new AuthorizerInstantiator(CCONF, AUTH_CONTEXT_FACTORY)) {
        Authorizer authorizer = authorizerInstantiator.get();
        DefaultAuthorizationEnforcer authEnforcementService = new DefaultAuthorizationEnforcer(CCONF, authorizerInstantiator);
        // update privileges for alice. Currently alice has not been granted any privileges.
        assertAuthorizationFailure(authEnforcementService, NS, ALICE, Action.ADMIN);
        // grant some test privileges
        DatasetId ds = NS.dataset("ds");
        authorizer.grant(Authorizable.fromEntityId(NS), ALICE, ImmutableSet.of(Action.READ, Action.WRITE));
        authorizer.grant(Authorizable.fromEntityId(ds), BOB, ImmutableSet.of(Action.ADMIN));
        // auth enforcement for alice should succeed on ns for actions read and write
        authEnforcementService.enforce(NS, ALICE, ImmutableSet.of(Action.READ, Action.WRITE));
        assertAuthorizationFailure(authEnforcementService, NS, ALICE, EnumSet.allOf(Action.class));
        // alice do not have READ or WRITE on the dataset, so authorization should fail
        assertAuthorizationFailure(authEnforcementService, ds, ALICE, Action.READ);
        assertAuthorizationFailure(authEnforcementService, ds, ALICE, Action.WRITE);
        // Alice doesn't have Admin right on NS, hence should fail.
        assertAuthorizationFailure(authEnforcementService, NS, ALICE, Action.ADMIN);
        // bob enforcement should succeed since we grant him admin privilege
        authEnforcementService.enforce(ds, BOB, Action.ADMIN);
        // revoke all of alice's privileges
        authorizer.revoke(Authorizable.fromEntityId(NS), ALICE, ImmutableSet.of(Action.READ));
        try {
            authEnforcementService.enforce(NS, ALICE, Action.READ);
            Assert.fail(String.format("Expected %s to not have '%s' privilege on %s but it does.", ALICE, Action.READ, NS));
        } catch (UnauthorizedException ignored) {
        // expected
        }
        authorizer.revoke(Authorizable.fromEntityId(NS));
        assertAuthorizationFailure(authEnforcementService, NS, ALICE, Action.READ);
        assertAuthorizationFailure(authEnforcementService, NS, ALICE, Action.WRITE);
        authEnforcementService.enforce(ds, BOB, Action.ADMIN);
    }
}
Also used : Action(co.cask.cdap.proto.security.Action) Authorizer(co.cask.cdap.security.spi.authorization.Authorizer) UnauthorizedException(co.cask.cdap.security.spi.authorization.UnauthorizedException) DatasetId(co.cask.cdap.proto.id.DatasetId) Test(org.junit.Test)

Example 39 with UnauthorizedException

use of co.cask.cdap.security.spi.authorization.UnauthorizedException in project cdap by caskdata.

the class AbstractAuthorizationEnforcer method enforce.

@Override
public void enforce(EntityId entity, Principal principal, Set<Action> actions) throws Exception {
    if (!isSecurityAuthorizationEnabled()) {
        return;
    }
    Set<Action> disallowed = EnumSet.noneOf(Action.class);
    UnauthorizedException unauthorizedException = new UnauthorizedException(principal, entity);
    for (Action action : actions) {
        try {
            enforce(entity, principal, action);
        } catch (UnauthorizedException e) {
            disallowed.add(action);
            unauthorizedException.addSuppressed(e);
        }
    }
    if (!disallowed.isEmpty()) {
        throw new UnauthorizedException(principal, disallowed, entity, unauthorizedException);
    }
}
Also used : Action(co.cask.cdap.proto.security.Action) UnauthorizedException(co.cask.cdap.security.spi.authorization.UnauthorizedException)

Example 40 with UnauthorizedException

use of co.cask.cdap.security.spi.authorization.UnauthorizedException in project cdap by caskdata.

the class RemoteAuthorizationEnforcer method enforce.

@Override
public void enforce(EntityId entity, Principal principal, Action action) throws Exception {
    if (!isSecurityAuthorizationEnabled()) {
        return;
    }
    AuthorizationPrivilege authorizationPrivilege = new AuthorizationPrivilege(principal, entity, action);
    boolean allowed = cacheEnabled ? authPolicyCache.get(authorizationPrivilege) : doEnforce(authorizationPrivilege);
    if (!allowed) {
        throw new UnauthorizedException(principal, action, entity);
    }
}
Also used : AuthorizationPrivilege(co.cask.cdap.proto.security.AuthorizationPrivilege) UnauthorizedException(co.cask.cdap.security.spi.authorization.UnauthorizedException)

Aggregations

UnauthorizedException (co.cask.cdap.security.spi.authorization.UnauthorizedException)49 Test (org.junit.Test)18 IOException (java.io.IOException)15 EntityId (co.cask.cdap.proto.id.EntityId)13 Principal (co.cask.cdap.proto.security.Principal)13 Action (co.cask.cdap.proto.security.Action)12 BadRequestException (co.cask.cdap.common.BadRequestException)11 ApplicationId (co.cask.cdap.proto.id.ApplicationId)10 NamespaceNotFoundException (co.cask.cdap.common.NamespaceNotFoundException)9 JsonSyntaxException (com.google.gson.JsonSyntaxException)9 ExecutionException (java.util.concurrent.ExecutionException)9 NotFoundException (co.cask.cdap.common.NotFoundException)8 NamespaceId (co.cask.cdap.proto.id.NamespaceId)7 DatasetManagementException (co.cask.cdap.api.dataset.DatasetManagementException)6 ConflictException (co.cask.cdap.common.ConflictException)6 StreamId (co.cask.cdap.proto.id.StreamId)6 ArtifactAlreadyExistsException (co.cask.cdap.common.ArtifactAlreadyExistsException)5 ArtifactNotFoundException (co.cask.cdap.common.ArtifactNotFoundException)5 WriteConflictException (co.cask.cdap.internal.app.runtime.artifact.WriteConflictException)5 NamespaceMeta (co.cask.cdap.proto.NamespaceMeta)5